From Tracking to Privacy: A Simple Guide to be Ready for the End of Third-Party Cookies

As we enter the second half of 2023, it’s important to be ready for the upcoming changes concerning third-party cookies. These cookies, which have been widely used for tracking across different websites, are now facing significant limitations imposed by popular web browsers. According to the Privacy Sandbox’s Timeline, the transition away from third-party cookies will happen gradually, starting around the middle of 2024. Let’s explore practical steps to audit our codebase for third-party cookies and discuss actions we can take to adapt.

AI-generated image using bing.com/images/create

First Things First

To effectively prepare for the eventual end of third-party cookies, let’s break it down into several steps:

1. Identify first-party and third-party cookies in our code.
2. Audit the usage of third-party cookies and assess their impact on our site.
3. Explore alternative solutions provided by the Privacy Sandbox project to replace third-party cookies.
4. Implement the necessary changes to ensure a seamless transition.

Identifying First-Party and Third-Party Cookies

Before we proceed, let’s understand the distinction between first-party and third-party cookies within the user’s context.

First-Party Cookies

First-party cookies are associated with the site that sets them and are used exclusively within that site. To identify first-party cookies in our code, we can look for cookies set without the SameSite attribute or with SameSite set to “Lax” or “Strict.” Here’s an example of a first-party cookie:

document.cookie = "cookie-name=value; SameSite=Lax;";

To ensure consistent behavior across browsers, we should set the appropriate SameSite attribute for our first-party cookies. Consider using the following practice:

document.cookie = "__Host-cookiename=value; Secure; Path=/; SameSite=Lax;";

Few examples of commonly used first-party cookies:

1. Authentication Cookies: These cookies track whether a user is logged in or not, allowing websites to maintain their session.
2. Personalization Cookies: Cookies are used to remember user preferences and personalize the website experience, such as preferred categories or personalized recommendations.
3. Form Auto-fill Cookies: When users fill out forms on websites, cookies can be used to remember their entered information and make it convenient for future form submissions.

Third-Party Cookies

Third-party cookies are used in cross-site contexts, such as iframes or subresource requests. To identify third-party cookies in our code, we can search for cookies containing the SameSite=None attribute. Here’s an example of a third-party cookie:

document.cookie = "cookie-name=value; SameSite=None; Secure;";

Identifying third-party cookies is crucial as they will require action to ensure they continue to function correctly.

Few examples of commonly used third-party cookies:

1. Advertising Cookies: These cookies track users’ browsing habits across different websites to show them relevant ads based on their interests.
   Popular services: Google AdSense, Facebook Pixel
2. Social Media Cookies: These cookies enable social media platforms to provide sharing buttons on our websites, allowing users to easily share content on their social media profiles.
   Popular services: Facebook Connect, LinkedIn Share
3. Analytics Cookies: These cookies collect data on how users interact with our website, helping us understand our audience.
   Popular services: Google Analytics, Mixpanel

Auditing Third-Party Cookies

To prepare for the end of third-party cookies, let’s audit their usage and assess their impact on our site. Here are some steps we can follow:

1. Review our codebase and identify all instances where third-party cookies are set or accessed.
2. Examine the use cases for which third-party cookies are employed, such as embedded content or personalized content tracking.
3. Verify that any third-party cookies we rely on are set with the SameSite=None attribute and the “Secure” flag to adhere to browser policies.
4. Test our site with third-party cookies blocked and use browser developer tools to identify any potential issues caused by the absence of third-party cookies.

Alternative Solutions: Privacy Sandbox

To replace the functionality provided by third-party cookies, the Privacy Sandbox project offers several alternative APIs. These APIs aim to maintain user privacy while enabling essential use cases. Let’s explore some key alternatives:

Partitioned Cookies

Partitioned cookies, introduced through the CHIPS (Cookies Having Independent Partitioned State) mechanism, allow third-party cookies to be partitioned by top-level sites. This approach reduces the risk of cross-site data leaks. Consider implementing partitioned cookies if the service is used as a component across multiple sites. Here’s an example of how to set a partitioned cookie:

document.cookie = "cookie-name=value; SameSite=None; Secure; Path=/; Partitioned;";

First-Party Sets

First-Party Sets (FPS) enable limited cross-site cookie access by declaring relationships among sites. By declaring our sites as part of a First-Party Set, we can use the Storage Access API (SAA) and the requestStorageAccessFor API to request access to cookies across these sites. Here’s an example of using the requestStorageAccessFor API:

if ('storageAccess' in window) {
  window.storageAccess.requestStorageAccessForOrigin('https://mamikos.com')
    .then(() => {
      // Access granted, continue the operations
    })
    .catch((error) => {
      console.error('Storage access request failed:', error);
    });
}

Other Privacy Sandbox APIs

Apart from partitioned cookies and First-Party Sets, the Privacy Sandbox project offers various APIs to address specific use cases. For example, the Private State Tokens API helps combat fraud while preserving user privacy. Explore these APIs to find suitable replacements for current use of third-party cookies.

Implementing the Necessary Changes

Once we’re done with the essential steps above, it’s time to implement the necessary changes. We can follow this step-by-step process:

1. Update our code to ensure first-party cookies have the appropriate SameSite attribute (Lax or Strict).
2. Replace third-party cookies with alternative solutions such as partitioned cookies or First-Party Sets where applicable.
3. Update our code to utilize Privacy Sandbox APIs that align with our use cases.
4. Thoroughly test our site after making the changes to identify any issues caused by the removal of third-party cookies.

Embracing these changes proactively will ensure a smooth transition and help create a more privacy-centric web ecosystem.

References

• Google I/O 2023: Preparing for the end of third-party cookies
• Chrome Developers: Prepare for phasing out third-party cookies